Drift lost $285M on April 1 — it was preventable

Catch the attack.
Prove the defense.

Attentra is real-time, read-only, Solana-native monitoring for DeFi protocols. Every admin action on your program is watched — durable nonces, authority changes, oracle swaps, parameter mutations — and your team is alerted the moment something drifts. Your security posture is continuously published on-chain as a tamper-evident attestation anyone can verify without trusting our dashboard. Zero keys. Zero custody. Zero sleep lost.

Book a 20-minute call Open the dashboard
$285M
Drained from Drift in a single
afternoon, April 1, 2026
5stages
Of the Drift attack that a monitoring
layer would have flagged
~60sec
Between posture change and
on-chain attestation update
1st
Solana-native protocol monitoring
with on-chain attestation
Case study / April 1, 2026

An attack that took months
and three signatures.

The attackers didn't exploit Drift's code. They exploited its signing pipeline. Over months they built relationships with the Drift Security Council, learned its routines, and used Solana's durable-nonce primitive to get legitimate admins to pre-sign transactions that would execute weeks later.

When those dormant signatures were finally triggered, they handed attackers admin control. Within minutes a fake token was whitelisted as collateral, an oracle the attackers controlled priced it at $1, and 500M of it was borrowed against to drain $285 million in real assets.

Nothing about this attack required a zero-day. Every stage was public on-chain activity. Every stage looked suspicious in isolation and damning in sequence. What was missing was the layer watching for it.

Drift post-mortem, Chainalysis analysis · April 2026
What Attentra would have flagged
i
Attacker creates fake CVT token
March 12, 2026 — attacker deploys CarbonVote Token, mints 750M supply, seeds a Raydium pool with $500 liquidity. Wash-trades back and forth to anchor price near $1.
⚠ Would flag — watchlist: attacker wallet → new token deployment
ii
Durable nonces seeded on admin accounts
March 23-30 — dormant pre-signed transactions are queued against Drift Security Council accounts via Solana's durable nonce system.
CRITICAL — Attentra alerts on first nonce
iii
Admin control silently transferred
April 1, 16:05 UTC — a dormant signed transaction is triggered. Security Council authority is quietly rotated to attacker-controlled keys.
CRITICAL — authority change detected in under 400ms; attestation turns red; on-call paged
iv
CVT whitelisted as collateral
16:07 UTC — governance parameter updated to accept CVT with no borrow limit. Simulation shows: "this action enables unlimited borrowing against a $500-liquidity token."
CRITICAL — simulation makes the intent obvious
v
$285M drained to attacker wallets
16:12-16:38 UTC — 500M CVT deposited, $285M in USDC/SOL/ETH withdrawn. Funds bridged off-chain within an hour.
⚠ Too late — the earlier stages were the defense window
What we monitor

Every surface an
attacker actually touches.

Not smart-contract audits — monitoring. We watch the seven dimensions of admin-surface activity where real attacks originate on Solana.

01

Durable nonces

Pre-signed transactions that can execute weeks after signing — the Drift vector. Every nonce creation and consumption on admin-adjacent accounts is flagged.

Critical signal
02

Upgrade authorities

Program upgrades, authority transfers, and freeze events on every program you deploy or depend on. Any change to who can deploy code is flagged within seconds.

Critical signal
03

Governance parameters

Fee changes, collateral whitelists, borrow caps, oracle account swaps. The actual substance of what your protocol does, monitored for every mutation.

High signal
04

Admin signer changes

New multisig members, lowered thresholds, removed signers. The same playbook attackers used against Drift, detected the moment it executes.

Critical signal
05

Oracle path integrity

New price feeds, feed authority changes, stale feeds, price deviations outside tolerance. The fake-CVT-at-$1 pattern, caught before anything borrows against it.

Critical signal
06

Admin wallet behavior

New counterparties, unusual staking activity, cross-chain movement, any interaction with known drainer or phishing wallet graphs.

High signal
07

Dormant signed transactions

The sleeping half of the Drift attack — signed transactions that haven't executed yet. We find them before the trigger pulls.

Critical signal
Plus custom heuristics
specific to your protocol.

Every integration starts with a surface review — we map your protocol's specific admin topology and add bespoke rules.

08

Correlated intelligence

Patterns that span multiple protocols or wallets. If an attacker grooms one Solana protocol, every other Attentra customer benefits from the signal.

Network effect
Example alert

An alert your
team can actually act on.

Every alert includes the raw transaction, a plain-English simulation of what changes, severity reasoning, and a runbook. No ops team has to translate crypto into English.

Severity — Critical
14:07:22 UTC · 4,210ms ago
Collateral whitelist mutation on governance.drift.vault
Governance authority 6rLk...4rA9 submitted a update_asset_config transaction. Admin action on collateral parameters — highest severity class. Simulation below.
Simulation · post-state diff
// token CVT · 4zmA...8nXq (deployed 20 days ago)
// collateral_factor 0.00 0.99
// borrow_cap 0 unlimited
// oracle_source 9Bpx...3aLm (feed authority: same as attacker)
// reported_price $1.00 · oracle wash-traded to anchor
// impact Enables unlimited borrowing against $500-liquidity token. Est. drainable: ~$285M
On-chain attestation

Your security posture,
published on the chain
you already use.

Monitoring tells your team something went wrong. Attestation tells everyone else how you're doing — and does it without asking anyone to trust our dashboard.

Every Attentra customer gets an on-chain attestation account. Every 60 seconds, our engine evaluates your declared security invariants — upgrade authority, admin signer set, timelock duration, oracle feeds, bytecode hash, governance config — and writes the current state to your attestation PDA.

The PDA is a normal Solana account. Your investors, your insurers, your users, your auditors, your aggregator of choice can query it from any RPC endpoint in two seconds. No API key. No Attentra dashboard login. No trust in us beyond the checks themselves, which are open-source and independently reproducible.

A Solana security product that isn't on Solana is just another dashboard. We're on-chain, by construction.

Program ID
AttrentraAttstn...11111
Open source
github.com/attentra-labs/attestation
Live attestation · example
LendingCore v2
verified 34s ago
90
HEALTHY
Upgrade authority unchanged critical
Admin signer set matches critical
Oracles not swapped critical
Bytecode hash matches last audit critical
Timelock duration reduced 48h → 24h warning
No dormant signer activation warning
PDA
Attst9ZkY4vH...kL2m
verify on explorer ↗
By design

What if you flag a protocol
that's actually fine?

On-chain attestations are powerful — and dangerous if misused. A false positive published to chain could trigger a panic sell-off in seconds. We designed against that from day one, in four layers.

01
Severity gradient, not binary
The attestation is a structured 0–100 score plus per-check pass/fail flags — not a "safe / danger" verdict. A score of 70 means three checks pass and one fails: actionable for insurers, transparent for users, no panic trigger.
02
Confirmation delay before publication
When a check first fails, we don't write to chain. We wait for three consecutive evaluation cycles — about three minutes — to confirm before publishing. This filters out chain reorgs, RPC inconsistencies, and the most common transient artifacts.
03
Dual-state attestation
When a change is detected, a pending review state is published to chain immediately — the public sees something is happening. The protocol team then has a five-minute window to mark planned governance actions as expected before the score finalizes. The override action itself is on-chain and queryable: frequency becomes diligence material for VCs and underwriters, accountability for the protocol.
04
Independent verification, always
The verifier is open source. Anyone reading the attestation can re-run every check against current chain state in 30 seconds. Stale flags self-correct as soon as someone re-evaluates. Bots that act on a single read take their own risk — by design, not by accident.
We don't publish red flags. We publish confirmation-delayed evidence that withstands independent re-evaluation.
How it works

One integration.
Five defensive layers.

Attentra runs alongside your existing audits and monitoring — not instead of them. Five stages, zero code changes to your protocol, no private keys shared.

Ingest

Dedicated Solana validator + Yellowstone gRPC. Every slot, every transaction touching your admin surface, within 400ms of finality.

Classify

Seven detection dimensions, ensemble heuristics, protocol-specific rules. Every action tagged with severity and evidence.

Simulate

Pending and dormant transactions simulated against current state. Output is plain-English: "this enables X to borrow Y against Z."

Attest

Your security posture is published to an on-chain attestation account every ~60 seconds. Tamper-evident, independently verifiable, queryable by anyone with an RPC.

Alert

Slack, Discord, PagerDuty, SMS, webhooks. Every alert includes evidence, simulation, and a runbook. Your team gets what they need to act — not a riddle to decode.

Who Attentra is for

If your protocol has
an admin key, you need us.

Every protocol with multisigs, upgrade authorities, or governance parameters has Drift's exposure surface. Attentra is priced so small protocols can afford it and large ones can't afford not to.

Tier 1 · Large DeFi

Protocols with $100M+ TVL and active governance

Complex admin surfaces. Multiple multisigs. Oracle dependencies. The teams that cannot afford the headline "drained overnight."
Typical buyers: lending protocols, perps DEXes, liquid staking, aggregators, LST infrastructure, DAO-governed platforms.
Tier 2 · Mid-market

Emerging protocols between $10M–$100M TVL

The teams most likely to get targeted next. Enough TVL to be worth the attacker's time, small enough that one incident ends the protocol permanently.
Typical buyers: new lending markets, prediction markets, RWA platforms, vault protocols, novel DeFi primitives.
Tier 3 · Adjacent

Treasuries, bridges, and issuers

Any entity managing real capital on Solana via multisigs or programmatic admin authority. Bridges especially — historically the DPRK's preferred target.
Typical buyers: DAO treasuries, cross-chain bridges, stablecoin issuers, tokenized equity platforms, ecosystem foundations.
Pricing

Priced like insurance,
not software.

Three steps on the same ladder. Start where you can. Upgrade as you earn the right to attest more. Every tier publishes an on-chain score that anyone can read and re-verify with our open-source CLI — the only thing that changes between tiers is how much of your protocol's reality the score is allowed to reflect.

Starter
1,500 USDC /mo
Public surfaces only. No integration meeting required.
We watch what's already on chain — your program ID, admin multisig, oracle feeds, upgrade authority. You can be onboarded today.
  • 7-dimension detection on public surfaces
  • On-chain attestation (up to 6 invariants)
  • Slack + email alerts
  • Embeddable posture badge
  • Public posture page
Start Starter
Standard
3,500 USDC/mo
Your runbook becomes part of the attestation.
You give us a read-only API key or a runbook spec. Our score now reflects your declared private commitments alongside your public ones. One afternoon of integration, much sharper signal.
  • Everything in Starter
  • On-chain attestation (up to 16 invariants)
  • Runbook attestation (read-only API integration)
  • PagerDuty + webhooks
  • Simulation detail views
  • Cross-tenant threat intelligence
  • Dedicated Slack channel
Start Standard
Premium
8,000 USDC/mo
ZK-attested internal configuration.
The strongest signal an underwriter can read. Your private oracle config, your incident-response runbook, your governance lockboxes — all attested without revealing the underlying data.
  • Everything in Standard
  • On-chain attestation (up to 64 invariants)
  • ZK-proof attestation of private config
  • Custom detection rules
  • Private attestation schema fields
  • 24/7 on-call response, 15-minute SLA
Talk to us
Enterprise
Custom
Ecosystems, multi-protocol issuers, regulated entities.
For organizations operating multiple protocols or underwriting other protocols. Bespoke deployment, dedicated infra, contractual SLAs.
  • Multi-protocol coverage
  • Dedicated infrastructure
  • SLA with penalties
  • On-chain posture API
  • Annual contracts
Contact sales
Annual contracts at 15% discount · Paid 30-day pilot available for all tiers
The ladder, not the menu

Most security tools price by feature gating. We don't — every tier runs the full detection engine. The tiers represent how much of your protocol's reality the attestation is allowed to reflect. Starter speaks only about your public surfaces. Standard speaks about your declared private commitments. Premium speaks about your private internal configuration under ZK proof. The score on chain becomes a richer, more credible signal as you climb — which is what insurance underwriters and capital allocators reward.

For underwriters & capital allocators

Standard of Care, on chain.

Modern DeFi insurance underwriters need continuous, verifiable evidence that the protocols they cover are operating within their declared parameters. Manual diligence does not scale to the rate at which DeFi protocols ship changes.

Attentra is the on-chain artifact that satisfies this requirement. A live, tamper-evident, third-party-verifiable record of protocol security state — updated every minute, queryable from any RPC, re-verifiable in 30 seconds with our open-source CLI.

3–5×
faster underwriting per protocol
Replace weeks of manual diligence with a single PDA read
30–60%
premium reduction for attested protocols
Continuous attestation as a quantifiable risk discount
0
trust required between underwriter and us
Open-source CLI verifier; the artifact lives on chain
Ecosystem positioning
STRIDE
The credential.
Solana Foundation–funded periodic security evaluation, administered by Asymmetric Research. Eight categories, human-reviewed, results published quarterly. The baseline.
Attentra
The heartbeat.
Continuous machine attestation between credentials. On-chain, queryable, composable in DeFi program logic. 60-second cycle, third-party verifiable. The live signal.

STRIDE established the periodic credential layer for Solana DeFi security in April 2026. Attentra is the continuous attestation layer that operates between STRIDE evaluations — minute-by-minute, machine-readable, and embeddable in other protocols' code. Two layers of the same stack. Not competitive — complementary.

If you are an underwriter

We are actively designing the integration surface for DeFi insurance protocols and traditional insurers exploring continuous-attestation underwriting. The attestation schema is open; the CLI verifier is open source; the math is deterministic. If you would like to evaluate Attentra as your underwriting substrate, reach out.

The next attack
is already being planned.

A 20-minute call. We'll show you what Attentra found on your protocol in the last 90 days using only public data. If the number matters, we'll onboard you next week.

Book a call See the dashboard first